Christian Ebner [Tue, 28 Jan 2020 16:57:26 +0000 (17:57 +0100)]
logging: Add missing logmsg for inbound rules
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Thomas Lamprecht [Mon, 27 Jan 2020 18:25:53 +0000 (19:25 +0100)]
bump version to 4.0-10
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Tue, 21 Jan 2020 09:24:30 +0000 (10:24 +0100)]
macros: add macro for Proxmox Mail Gateway web interface
Macro to allow access to the PMG web interface when hosted on PVE.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Thomas Lamprecht [Thu, 9 Jan 2020 12:03:52 +0000 (13:03 +0100)]
fwtester: sort and group module usage
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 9 Jan 2020 11:55:13 +0000 (12:55 +0100)]
api node: always pass cluster conf to node FW parser
As else the parsing may lead to "false positive" errors, as cluster
wide aliases and other definitions are seemingly missing.
Reproducer:
* add *cluster* alias
* add+enable *host* rule using that alias
* enable FW on DC and node level
* go to Node -> FW -> Options
* check journal/syslog for error like:
> pveproxy[
1339680]: /etc/pve/nodes/dev6/host.fw (line 3) - errors in rule parameters: IN ACCEPT -source test123 -p tcp -sport 22 -log nolog
> pveproxy[
1339680]: source: no such alias 'test123'
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 13 Dec 2019 11:07:16 +0000 (12:07 +0100)]
grammar fix: s/does not exists/does not exist/g
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 3 Dec 2019 07:12:23 +0000 (08:12 +0100)]
bump version to 4.0-9
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Mon, 2 Dec 2019 15:55:57 +0000 (16:55 +0100)]
rules: allow connections on port range 60000:60050 in management network for migration
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Wolfgang Bumiller [Mon, 18 Nov 2019 12:51:46 +0000 (13:51 +0100)]
bump version to 4.0-8
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Alexandre Derumier [Tue, 12 Nov 2019 12:59:04 +0000 (13:59 +0100)]
add synflood protection
Currently, a virtio-net + vhost-net can handle between 200-300 kpps for each vm (with 1core/queue=1).
That mean than a vm can easily overloaded with a simple synflood (hping3 --flood -p 80 -S targetip).
Also the conntrack of the host can be saturated easily.
This patch introduce a new option, enable rate limiting of syn/s by src ip (protection_synflood:1).
rate limit can be set with : protection_synflood_rate (default 200 syn/s)
with an extra burst: protection_synflood_rate (default 1000).
It's also possible to reduce conntrack syn timeout: nf_conntrack_tcp_timeout_syn_recv (default 60).
with default values, a src ip can take around (60 * 200 = 12000 conntrack entries).
The iptables rules are done in raw table, before reaching the conntrack.
This protection works fine for non-spoofed src ip.
For spoofed src ip, the only way could be to implement SYNPROXY,
but this only works for routed/nat setup. (The host need to be able to reply
with the src ip the vm)
Some good information about synflood protections
https://2014.rmll.info/slides/356/day_1-1400-Jesper_Brouer-DDoS_protection_using_Netfilter_iptables.pdf
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Alexandre Derumier [Tue, 12 Nov 2019 12:59:03 +0000 (13:59 +0100)]
iptables : add raw table support
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fabian Grünbichler [Mon, 11 Nov 2019 10:28:43 +0000 (11:28 +0100)]
d/control: add (build-)depends on libpve-cluster-perl
since it contains PVE::Corosync now
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Tue, 22 Oct 2019 09:14:44 +0000 (11:14 +0200)]
fw schemas: add defaults and improve some descriptions
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 22 Oct 2019 09:08:18 +0000 (11:08 +0200)]
increase default nf_conntrack_max to kernel default
for nf_conntrack_max the kernel uses by default the value:
(nf_conntrack_buckets value * 4) and nf_conntrack_buckets
is set to 2^16 for machines with more than 4GB memory, so the
resulting default would be 2^18 == 262144.
As PVE hoists are expected to have more than such a, nowadays rather
small, amount of memory, update the default to match the one which
would be normally used anyway.
[0]: https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Mira Limbeck [Mon, 26 Aug 2019 12:55:25 +0000 (14:55 +0200)]
fix use of uninitialized value
$param->{rename} was not checked for definedness even though it is
optional. This lead to a 'use of uninitialized value' when just updating
the cidr.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Fabian Grünbichler [Wed, 7 Aug 2019 08:55:20 +0000 (10:55 +0200)]
bump version to 4.0-7
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Mira Limbeck [Tue, 6 Aug 2019 08:25:14 +0000 (10:25 +0200)]
only add VM chains if VM firewall is enabled
Before if a NIC had the firewall enabled and the MAC filter was active,
a rule was added to the tap device even if the VM firewall was not
enabled. This led to nested machines not being able to reach outside.
Testcase: Host <-> VM <-> CT all on the same bridge. Host and CT could
not reach each other because of the MAC filter.
Now we check if the VM firewall is enabled and only add the MAC and
IP filters then.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Fabian Grünbichler [Wed, 7 Aug 2019 07:28:14 +0000 (09:28 +0200)]
fix indentation/whitspace
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 7 Aug 2019 07:25:36 +0000 (09:25 +0200)]
skip tap rule generation if vmfw is disabled
like for containers, and adapt code style to be identical.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Tue, 23 Jul 2019 16:57:54 +0000 (18:57 +0200)]
bump version to 4.0-6
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Fri, 12 Jul 2019 11:31:34 +0000 (13:31 +0200)]
firewall macros: add new Ceph protocol v2 port while keeping v1 port
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Thomas Lamprecht [Fri, 12 Jul 2019 11:02:35 +0000 (13:02 +0200)]
followup code cleanup
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 12 Jul 2019 09:47:57 +0000 (11:47 +0200)]
bump version to 4.0-5
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 12 Jul 2019 09:30:12 +0000 (11:30 +0200)]
remove base path of runcommand calls
this makes us compatible with both, usrmerged and non-usrmerged
systems, also it's the recommended way - we have a sane PATH in
run_command
Also transform to array calls, if we touch them anyway
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 11 Jul 2019 17:40:22 +0000 (19:40 +0200)]
bump version to 4.0-4
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 10 Jul 2019 11:33:07 +0000 (13:33 +0200)]
use /usr/sbin as base path
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Wed, 10 Jul 2019 09:59:20 +0000 (11:59 +0200)]
ebtables: treat chain deletion as change
since it is one. otherwise, 'pve-firewall compile' will print false
information as long as the deletion has not been applied yet.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 10 Jul 2019 09:59:19 +0000 (11:59 +0200)]
ebtables: remove PVE chains properly
when globally disabling the FW, or on shutdown of firewall service.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Thu, 4 Jul 2019 13:57:06 +0000 (15:57 +0200)]
bump version to 4.0-3
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Wed, 3 Jul 2019 13:58:51 +0000 (15:58 +0200)]
localnet: skip local node for corosync information
since we neither do nor actually need to allow such traffic.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 3 Jul 2019 13:58:16 +0000 (15:58 +0200)]
localnet: simplify code
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 3 Jul 2019 13:57:43 +0000 (15:57 +0200)]
localnet: rename variables
to prevent confusion between local nodename and iterator entry
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Stefan Reiter [Wed, 3 Jul 2019 12:27:35 +0000 (14:27 +0200)]
Formatting fixes (trailing whitespace and indentation)
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
Stefan Reiter [Wed, 3 Jul 2019 12:27:34 +0000 (14:27 +0200)]
Display corosync rule info on localnet call
If no corosync.conf exists (i.e. a standalone node), the output is left
the same.
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
Stefan Reiter [Wed, 3 Jul 2019 12:27:33 +0000 (14:27 +0200)]
Check if corosync.conf exists before calling parser
Calling cfs_read_file with no corosync.conf (i.e. on a standalone node)
returns {} instead of undef. The previous patches assumes undef for this
scenario. To avoid confusing checks all over the place, simply leave the
config as undef if no file exists.
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
Fabian Grünbichler [Tue, 2 Jul 2019 09:48:01 +0000 (11:48 +0200)]
add missing build-depends on libpve-access-control
needed for building the doc files / pve-firewall synopsis
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 2 Jul 2019 08:46:01 +0000 (10:46 +0200)]
add versioned (build-) dependency on pve-cluster
for newly introduced corosync helpers
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 2 Jul 2019 08:27:49 +0000 (10:27 +0200)]
corosync: refactor if conditions
to remove one level of indentation
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 2 Jul 2019 08:24:45 +0000 (10:24 +0200)]
corosync: fix multicast detection
for Corosync 3.x, multicast is only needed if the transport is explicitly set to 'udp'
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Stefan Reiter [Mon, 1 Jul 2019 15:22:17 +0000 (17:22 +0200)]
Only include multicast rules if transport is udp
Only applies to corosync 3.
Testing config is changed to allow simulation of multicast rules.
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
Stefan Reiter [Mon, 1 Jul 2019 15:22:16 +0000 (17:22 +0200)]
Update and add tests for corosync firewall changes
Since corosync rules are now only created when a corosync.conf file is
present, a static corosync.conf has been added and will be loaded for
testing.
New test rules have been introduced to check corosync rules relating to
different rings/links.
Includes hostnames in config to trigger resolving codepaths.
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
Stefan Reiter [Mon, 1 Jul 2019 15:22:15 +0000 (17:22 +0200)]
Create corosync firewall rules independently of localnet
"localnet" does not necessarily correspond to the correct network for
corosync (e.g. corosync rings/link can be run independently from other PVE
cluster service networks).
This change uses the previously introduced sub 'for_all_corosync_addresses'
to iterate through all nodes in a corosync cluster and generate rules for
all nodes and all their respective ringX_addr's it finds.
The rules are generated as strict as possible, there is a specific rule
for every remote node and every ring/link. Also, communication "between"
different links/rings is not allowed, e.g. a remote ring1_addr cannot
contact a local ring0_addr, and vice versa.
Multicast is always allowed, for backwards compatibility. Note however,
that we no longer filter on the source of inbound multicast packets,
since that would require localnet, and thus introduce the bug we're
trying to fix once again.
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
Thomas Lamprecht [Mon, 24 Jun 2019 18:43:57 +0000 (20:43 +0200)]
bump version to 4.0-2
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 24 Jun 2019 18:36:09 +0000 (20:36 +0200)]
pve-firewall.service: update-alternative ip-/eb- tables to legacy versions
This is rather a bit of an hack but works for us for now.
we need to use the legacy versions for both due some bugs in the
nftables based versions, i.e., for iptables it's Debian bug #929527 [0]
and for ebtables it's Debian bug #929976 [1]. While the first gained
some response from the maintainer and a solution is in sight it's
currently blocked by Buster release freeze policy. The second one did
not get any response so far.
[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929527
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929976
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 28 May 2019 06:06:39 +0000 (08:06 +0200)]
fix CT rule generation with ipfilter set
commit
255698f65192e736708f123d380bbed2aa8c3eac tried to prevent an
error from happening but wasn't to well thought out, perl's operator
precedence was overlooked.
The commit resulted effectively in:
if (my $ip = ($net->{ip} && $vmfw_conf->{options}->{ipfilter})) ...
But intended was:
if (defined(my $ip = $net->{ip}) && $vmfw_conf->{options}->{ipfilter}) ...
First one makes $ip always boolean true (1 in perl) if the if branch
is hit, and the seconds really has then the $ip value in it..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 25 May 2019 16:27:46 +0000 (18:27 +0200)]
fix systemd warning about PIDFile directory
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 23 May 2019 16:19:56 +0000 (18:19 +0200)]
buildsys: switch upload dist over to buster
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 21 May 2019 20:30:27 +0000 (22:30 +0200)]
bump version to 4.0-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 21 May 2019 20:30:14 +0000 (22:30 +0200)]
bump debian compat level to 10
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 21 May 2019 20:28:39 +0000 (22:28 +0200)]
buildsys: use dpkg-dev makefile helpers for pkg info
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 21 May 2019 20:12:44 +0000 (22:12 +0200)]
d/control: fix build-depends-on-obsolete-package
build-depends: dh-systemd => use debhelper (>= 9.
20160709)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 21 May 2019 20:11:48 +0000 (22:11 +0200)]
d/control: fix priority-extra-is-replaced-by-priority-optional
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Wed, 15 May 2019 15:09:13 +0000 (17:09 +0200)]
Remove redundant logging of packets passing the tap chain.
Incomming and outgoing packets passing the firewall bridge were unneccessarily
logged, leading to double entries.
The first log entry occurred when passing the bridge, the second when the packets
fate was decided (ACCEPT/DROP/REJECT).
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Thomas Lamprecht [Wed, 8 May 2019 10:18:38 +0000 (10:18 +0000)]
bump version to 3.0-21
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 7 May 2019 09:52:58 +0000 (09:52 +0000)]
followup: do not replace original variable content
this could be confusing, if someone adds code which uses $net->{ip}
it may work for the case were ipfilter is off but not else (which may
not get tested), so keep the original $net intact and copy the scalar
value..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 7 May 2019 09:40:57 +0000 (09:40 +0000)]
followup: code cleanup and comment
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Alexandre Derumier [Thu, 2 May 2019 05:04:16 +0000 (07:04 +0200)]
fix #2193: arpfilter: CT: remove mask from net ip cidr.
We need to send to ebtables an host address without prefix or with
/32 prefix.
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Mon, 29 Apr 2019 14:18:46 +0000 (16:18 +0200)]
fix ipv6 PVEFW-reject
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Thomas Lamprecht [Fri, 19 Apr 2019 05:11:22 +0000 (05:11 +0000)]
bump version to 3.0-20
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 19 Apr 2019 04:51:38 +0000 (04:51 +0000)]
fix reading host.fw through IPCC interface
IPCC has no knowledge about FUSE based links, but we used
'local/host.fw' here, where local is always a link to
'nodes/<LOCAL-NODENAME>/', this works only when using the common file
system interface provided by FUSE, but not if we're talking directly
with our memdb file store through IPCC..
So use a nodename based path here, to avoid getting just empty
strings for host.fw.
fixes commit
0dbef53046fade02efec143d3b7a0f4f9021b618
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Mira Limbeck [Wed, 17 Apr 2019 14:44:16 +0000 (16:44 +0200)]
fix #2178: endless loop on ipv6 extension headers
increment header and decrement payload size by the extensions size. the
length calculation is different for some extensions. in our case only
IPPROTO_FRAGMENT requires a different size calculation than the rest. in
addition 'proto' is now set in the loop when advancing from an
extension header. it moves on to the next extension or protocol now
instead of looping on the same 'proto' while advancing the payload.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Thomas Lamprecht [Wed, 17 Apr 2019 12:02:06 +0000 (12:02 +0000)]
remove useless unused Data::Dumper uses
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 12 Apr 2019 11:50:27 +0000 (13:50 +0200)]
firewall: split and order modules
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 11 Apr 2019 13:28:36 +0000 (15:28 +0200)]
use IPCC to read FW files if the are backed by pmxcfs
This allows us to profit from the IPCC pmxcfs restart mechanisms,
which will block this call for the grace period (~10 seconds) and
transparently try to reconnect to the IPCC interface of pmxcfs, if a
restart is detected..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 11 Apr 2019 13:28:35 +0000 (15:28 +0200)]
remove a level of indirection on FW config parsing
the removed methods where only used by those we merged their code
into.
Opening the FH in the generic parser safes a bit of repetition too..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 11 Apr 2019 13:28:34 +0000 (15:28 +0200)]
make verbose a global state
This is part of the project 'stop the parameter rabbit hole madness'
and tries to make reading the firewall code a little bit easier.
Here we remove passing $verbose from 44 method signatures, while it
was used in 4 of those methods, a ration of 1/11 is simply not
acceptable for such a thing as a verbosity flag..
Remove it, and just make it a global variable with a setter for now.
Verbose is not modified in any API call, only in a Service
environment callablle by CLI, so we are save to do so.
If we decide to add some sort of firewall instance (i.e., a blessed
$self "object") with some state we could also move it there, but
making it global now doesn't hurt.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 2 Apr 2019 09:18:30 +0000 (11:18 +0200)]
bump version to 3.0-19
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 2 Apr 2019 09:18:21 +0000 (11:18 +0200)]
buildsys: no need to not pre-clean for source package
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 1 Apr 2019 11:57:41 +0000 (13:57 +0200)]
buildsys: correctly cleanup source tarball
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 21 Mar 2019 06:57:43 +0000 (07:57 +0100)]
allow to enable/disable and modify cluster wide log ratelimits
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reviewed-by: Christian Ebner <c.ebner@proxmox.com>
Thomas Lamprecht [Sun, 31 Mar 2019 13:43:40 +0000 (15:43 +0200)]
buildsys: add dsc target
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 31 Mar 2019 13:24:42 +0000 (15:24 +0200)]
cleanup makefiles, set target dirs per makefile
be more consistent with the buildsystems of our other packages.
compared old to new with diffoscope, no real changes (besides
different SOURCE file, as base check commits differ)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 30 Mar 2019 16:36:16 +0000 (17:36 +0100)]
fix Razor macro
'ACCEPT' was plain wrong here and broken and disables ALL firewalling
for a Container, at least when used in a Security Group.
fixes
857f62c833a604eb8399467a94d325c1994367eb
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reported-by: Tom Weber <pve@junkyard.4t2.com>
Mira Limbeck [Tue, 19 Mar 2019 13:27:31 +0000 (14:27 +0100)]
add 'log_nf_conntrack' option description
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Thomas Lamprecht [Tue, 19 Mar 2019 13:37:56 +0000 (14:37 +0100)]
followup: minor code style fix
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 19 Mar 2019 13:36:40 +0000 (14:36 +0100)]
followup: use default burst limit of 5
it does not hurt and can be be used to see high frequeny occurences
of certain rules which hit.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Mon, 18 Mar 2019 16:05:53 +0000 (17:05 +0100)]
fix: #2123 Logging of user defined firewall rules
This allows a user to log traffic filtered by a self defined firewall rule.
Therefore the API is extended to include a 'log' option allow to specify the
log level for each rule individually.
The 'log' option can also be specified in the fw config. In order to reduce the
log amount, logging is limited to 1 entry per second.
For now the rule has to be created or edited via the pvesh API call or via the
firewall config in order to set the log level.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Alexandre Derumier [Sun, 10 Mar 2019 07:25:07 +0000 (08:25 +0100)]
ebtables: test layer2_protocols in an external chain
We need the not matching DROP outside the main tapchain,
in a specific proto chain, and a ACCEPT in the main tap chain.
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Alexandre Derumier [Sun, 10 Mar 2019 07:25:06 +0000 (08:25 +0100)]
ebtables: add arp filtering
This implemented arp filtering if ipfilter is enable
https://bugzilla.proxmox.com/show_bug.cgi?id=2125
They are another filters possible (ipv4,rarp),
i don't known if we need them.
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Thomas Lamprecht [Mon, 4 Mar 2019 09:27:42 +0000 (10:27 +0100)]
bump version to 3.0-18
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 22 Feb 2019 12:31:32 +0000 (13:31 +0100)]
d/control: bump version dependency to pve-doc-generator
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Thu, 21 Feb 2019 13:24:59 +0000 (14:24 +0100)]
1891 Add zsh command completion for pve-firewall
Adds the zsh command completion scripts for pve-firewall.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Alexandre Derumier [Wed, 20 Feb 2019 00:16:58 +0000 (01:16 +0100)]
daemon: cleanup '+' character at begin of line
this stray '+' was introduced by
commit
151c209e05a9e15d5d7a9402391ca936e562a173 while it had no
effect let's remove it nonetheless.
Alwin Antreich [Wed, 13 Feb 2019 11:27:58 +0000 (12:27 +0100)]
Fix unitialized value $mark in bitwise operation
Signed-off-by: Alwin Antreich <a.antreich@proxmox.com>
Alexandre Derumier [Tue, 5 Feb 2019 10:22:45 +0000 (11:22 +0100)]
log reject : add space after policy REJECT like drop
For log consistency and parsing, we already have a space after "policy DROP: "
but not REJECT
ex:
DROP
135 6 tap135i1-IN 05/Feb/2019:10:59:55 +0100 policy DROP: IN=.....
REJECT
232 6 tap232i1-IN 05/Feb/2019:10:59:28 +0100 policy REJECT:IN=....
Thomas Lamprecht [Mon, 4 Feb 2019 13:22:41 +0000 (14:22 +0100)]
followup: avoid long hash access, use own variable
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Christian Ebner [Fri, 1 Feb 2019 09:46:11 +0000 (10:46 +0100)]
Fix #1606 Add nf_conntrack_allow_invalid option
This adds the nf_conntrack_allow_invalid host firewall option to allow to disable
the dropping of invalid packets from the connection tracker point of view.
This is needed for some rare setups with asymmetrical multi-path routing.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
Wolfgang Bumiller [Fri, 25 Jan 2019 09:56:16 +0000 (10:56 +0100)]
buildsys: build a dbgsym package
don't forcefully strip debug components out of the firewall
logger...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Thomas Lamprecht [Wed, 9 Jan 2019 15:54:29 +0000 (16:54 +0100)]
bump version to 3.0-17
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
David Limbeck [Wed, 9 Jan 2019 14:32:10 +0000 (15:32 +0100)]
log and ignore ENOBUFS in nfct_catch
nfct_catch sets ENOBUFS if not enough buffer space is available. log
and continue operation instead of stopping. in addition log possible
other errors set by nfct_catch
Signed-off-by: David Limbeck <d.limbeck@proxmox.com>
Wolfgang Bumiller [Wed, 9 Jan 2019 13:26:00 +0000 (14:26 +0100)]
fixup va_arg usage
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
David Limbeck [Thu, 13 Dec 2018 12:08:52 +0000 (13:08 +0100)]
add log_nf_conntrack host firewall option
add log_nf_conntrack host firewall option to enable or disable logging
of connections. restarts pvefw-logger if the option changes in the
config. the pvefw-logger is always restarted in the beginning to make
sure the current config is applied.
Signed-off-by: David Limbeck <d.limbeck@proxmox.com>
David Limbeck [Thu, 13 Dec 2018 12:08:51 +0000 (13:08 +0100)]
add conntrack logging via libnetfilter_conntrack
add conntrack logging to pvefw-logger including timestamps (requires
/proc/sys/net/netfilter/nf_conntrack_timestamp to be 1).
this allows the tracking of sessions (start, end timestamps with
nf_conntrack_timestamp on [DESTROY] messages). commit includes
Build-Depends inclusion of libnetfilter-conntrack-dev and
libnetfilter_conntrack library in the Makefile.
Signed-off-by: David Limbeck <d.limbeck@proxmox.com>
Dominik Csapak [Fri, 30 Nov 2018 15:31:41 +0000 (16:31 +0100)]
fix #2004: do not allow backwards ranges
ranges like 10:5 are allowed by us, but iptables throws an error
that is only visible in the syslog and the firewall rules do not
get updated
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 30 Nov 2018 08:53:49 +0000 (09:53 +0100)]
fix #2005: only allow ascii port digits
perl accepts non-ascii digits for \d like U+09EA
which do not work with iptables
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Thomas Lamprecht [Fri, 30 Nov 2018 15:03:11 +0000 (16:03 +0100)]
bump version to 3.0-16
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Thu, 29 Nov 2018 13:29:03 +0000 (14:29 +0100)]
macro: fix return verification failure
macros are strings not integers
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Thomas Lamprecht [Fri, 23 Nov 2018 13:05:23 +0000 (14:05 +0100)]
bump version to 3.0-15
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Rhonda D'Vine [Mon, 12 Nov 2018 14:14:46 +0000 (15:14 +0100)]
d/control: add missing Build-Depends
Found while building in a clean chroot.
Signed-off-by: Rhonda D'Vine <rhonda@proxmox.com>
Rhonda D'Vine [Mon, 12 Nov 2018 14:14:45 +0000 (15:14 +0100)]
Fix #1971: display firewall rule properties
This is the list of the properties that should get returned in the
pretty print format, too, not just in yaml/json output.
Signed-off-by: Rhonda D'Vine <rhonda@proxmox.com>
projects / pve-firewall.git / log